Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk query issues

anu1
New Member
‎01-08-2025 09:35 PM

Hey team,

I have one requirement i.e have to Create a splunk dashboard to report the # of Logins , # of Logouts

The input for the Splunk report should be as follows : 

Input dropdown - Time Picker, Customer, Host Name

Either identify using probe data or Splunk Command metrics

Output for the following metrics should be shown as a timegraph with # of logins, logouts ,

the graph should consists of time,which host and which customer we are using.and the query also should have the tokens when i ran the query can you give me the search query for this requirement.I used multiple queries but am not getting the exact data.

Can you help me with the query.Thanks.

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-08-2025 11:59 PM

Hi  @anu1

,the dashboard is very easy, but it requires a preparation that depends on the number of data sources that you want to display in this dashboard.

In few words, you should:

  • analyze your data sources and define the conditions for LOGIN, LOGOUT and LOGFAIL, eg, for Windows login is EventCode=4624, logout is EventCode=4634 and logfail is EventCode=4625,
  • then create av eventtype for each condition assigning a tag (LOGIN, LOGOUT or LOGFAIL) to each eventtype,
  • create some alias to have the same field names for the fields to display (e.g. UserName, IP_Source,  Hostname, etc...)
  • create a dashboard running a search like the following:
tag=$tag$ host=$host$ UserName=$user$
| table _time tag HostName UserName IP_Source

the three tags in the main search come from three inputs.

Let me know if you need help to create the dashboard that's very easy.

Ciao.

Giuseppe

 

0 Karma
Reply

anu1
New Member
‎01-09-2025 12:13 AM

Sure.Thank you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-09-2025 03:33 AM

Hi @anu1 ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply

PaulPanther
Motivator
‎01-08-2025 10:53 PM

Please share the search so far and some sample data then we might be able to help you with the search query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top